Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know

New data protection regulations have significantly impacted the way that businesses collect, store, and handle clients’ personal information.

Considering the continuously increasing importance of data protection and privacy in today’s world, businesses should be up to speed with their data privacy policies and procedures.

The webinar covers:

1. ISO/IEC 27001 – Information Security Framework Key requirements under CCPA, CPRA, GDPR
• ISO/IEC 27005 – Information Security Risk Management
• ISO/IEC 27035 – Information Security Incident Management
• ISO/IEC 22301 & 27031 - Business Continuity Management (BCM)

2. Alternative Frameworks
• CMMC - Cybersecurity Maturity Model Certification
• NIST CSF Cybersecurity Framework
• ISO/IEC 27032 – Guidelines for Cybersecurity

3. Supplier Management

Date: April 21, 2021
Recorded Webinar: https://youtu.be/bi3tvvhGV1s

  • Sé el primero en comentar

CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know

  1. 1. 1. ISO/IEC 27001 – Information Security Framework • ISO/IEC 27005 – Information Security Risk Management • ISO/IEC 27035 – Information Security Incident Management • ISO/IEC 22301 & 27031 - Business Continuity Management (BCM) 2. Alternative Frameworks • NIST CSF Cybersecurity Framework • CMMC - Cybersecurity Maturity Model Certification • ISO/IEC 27032 – Guidelines for Cybersecurity 3. Supplier Management 4. Conclusion 5. Questions Agenda
  2. 2. Links to other standards 1. ISO/IEC 27001 Business Continuity & Disaster Recovery ISO/IEC 27031 ISO/IEC 22301 Security Incident Management Information Security Risk Management ISO/IEC 27005 Cyberspace / Ecosystem ISO/IEC 27032 Cybersecurity framework (CSF) CMMC ISO/IEC 27035
  3. 3. ISO/IEC 27001 Security framework 1. Define and establish 1.1 Context establishment 1.2 Leadership and roles 1.4 Security Requirements 1.3 Risk Management 1.5 Organization 1.6 Statement of applicability 2. Deploy and operate 2.1 Treatment plan definition 2.2 Controls deployment 2.3 Documentation management 2.4 Communication 2.5 Awareness and training 2.6 Operations management 2.7 Security incident management 3. Monitor and review 3.1 Monitoring, analysis and assessment 3.2 Internal audit 3.3 Accreditation 4. Maintain and improve 4.1 Non-conformity management 4.2 Continuous improvement
  4. 4. Information Security Risk Management • Version: • Current: 2018 (small update of 2011) • Revision ongoing (12/2022) • Context establishment • Scope, stakeholders, criteria • Risk assessment • Define what to protect (Primary/supporting assets) • Against what (threats, vulnerabilities, current controls) • Risk Treatment • Risk retention, avoidance, modification, sharing • Risk Acceptance • Acceptable residual risk level • Maturity: Risk-based decisions allow to provide justifications to other cyber activities (audit, pentest, incident, requirements, etc.) ISO/IEC 27005
  5. 5. Information Security Incident Management • Security Event vs Security Incident • Event: Occurrence indicating a possible breach of information security or failure of controls • Incident: One or multiple related and identified information security events meeting established criteria and can harm organization’s assets or compromise its operations ISO/IEC 27035 • Versions: • Part 1: Principles of incident management Current: 2016  Revision ongoing (06/2023) • Part 2: Guidelines to plan and prepare for incident management Current: 2016  Revision ongoing (06/2023) • Part 3: Guidelines for ICT incident response operations (Technical) Current: 2020 • Part 4: Coordination (ongoing – based on a Chinese CERT initiative) Planned: 05/2024 • Designed to fulfil ISO/IEC 27001 Annex A, control 16 (IS Incident Management)
  6. 6. Business Continuity Management (BCM) & ITC Service Continuity (ITSCM) • Version: • ISO/IEC 22301 – Current: 2019 (minor update of 2012) • ISO/IEC 27031 – Current: 2011 (new version under development) • Context establishment • Scope, stakeholders, criteria • Business Impact Analyses (BIAs) • Based on IS Risk Assessments (ISO/IEC 27005) • Priorities, objectives • Key for a well working BCMS • Business Continuity Strategies & Solutions • Priorities, resources, mitigation • Training & awareness plans, preparation plans • Disaster Recovery Plans (DRP)  ISO/IEC 27031 for ITC • Business Continuity Procedures • Business Continuity Plans (BCP), Incident Response Plans (IRP), Recovery Plans (RP), Transportation Plans, Communication Procedures etc. ISO/IEC 22301 and 27031
  7. 7. • NIST CSF – Cybersecurity Framework • CMMC – Cybersecurity Maturity Model Certification • ISO/IEC 27032 – Guidelines for Cybersecurity 2. Alternative Frameworks
  8. 8. NIST Cybersecurity Framework • Tier Degree of rigor • 1 (Partial) to 4 (Adaptative) • Cybersecurity based risk decisions • Stakeholders Cybersecurity integration • Core (link to COBIT, NIST, ISO etc.) • 5 Functions : Identify/Protect/Detect/Respond/Recover • 23 Categories: Risk assessment, Security Monitoring, etc. • 108 Subcategories: Requirement detail • Profile • Current status • Target profile • More information: https://www.nist.gov/cyberframework/online-learning NIST CSF
  9. 9. Cybersecurity Maturity Model Certification • Release: Version 1.0 - 31/01/2020 • US Department of Defense (DoD) contractors: DoD's response to significant compromises of sensitive defense information located on contractors' information systems. • CMMC levels: • Level 1: 17 Controls • Level 2: 72 Controls (includes Level 1 controls) • Level 3: 130 Controls (includes Level 2 controls) • Level 4: 156 Controls (includes Level 3 controls) • Level 5: 171 Controls (includes Level 4 controls) • Link to security controls from NIST SP 800-171, NIST SP 800-53, ISO/IEC 27001 and ISO/IEC 27032, among others. • Difference to ISO/IEC 27001: ISMS perimeter vs whole organization • Difference to NIST CSF: • Same objective: protect CUI (Controlled Unclassified Information) • NFO (Non-Federal Organization) are out of scope (not for the US DoD) CMMC
  10. 10. Guidelines for Cybersecurity • Version: • Current: 2012 • Revision ongoing (10/2022) • Change of perimeter: Cybersecurity – Guidelines for Internet security • Cyberspace: space resulting from the emergence of the Internet, plus the people, organizations, and activities on all sort of technology devices and networks that are connected to it It can be seen as the assets (primary/supporting + stakeholders/ecosystem) • Supplier Management • Education, Awareness & Training • Malware Protection • Change Management • Cryptography • Asset Management • Cybersecurity Incident Management • Vulnerability Management • Business Continuity ISO/IEC 27032
  11. 11. Secure Ecosystem 3. Supplier Management Examples: • SolarWinds • Stuxnet How to reduce stakeholders’ threat? • Increase the cybersecurity maturity level • Decrease the exposition
  12. 12. There are Different Information & Cyber Security Approaches • Choose the framework corresponding to your business needs • Customer requirements • Regulation requirements (Finance, Energies, Telecom, NIS, SOX etc.) • Legal requirements (EU, US, etc.) • Remain in one framework • Mixing frameworks will result mainly in an uncontrollable nightmare • You can include some parts of other frameworks as “best practices” • Assessing maturity level or benchmarks are easier within one framework • Secure your whole perimeter • Define the scope properly and completely • Include all your stakeholders • Limit not only to your organization 4. Conclusion
  13. 13. Thank you for your attention 5. Questions

    Sé el primero en comentar

  • ctopaloglu

    Jul. 20, 2021

New data protection regulations have significantly impacted the way that businesses collect, store, and handle clients’ personal information. Considering the continuously increasing importance of data protection and privacy in today’s world, businesses should be up to speed with their data privacy policies and procedures. The webinar covers: 1. ISO/IEC 27001 – Information Security Framework Key requirements under CCPA, CPRA, GDPR • ISO/IEC 27005 – Information Security Risk Management • ISO/IEC 27035 – Information Security Incident Management • ISO/IEC 22301 & 27031 - Business Continuity Management (BCM) 2. Alternative Frameworks • CMMC - Cybersecurity Maturity Model Certification • NIST CSF Cybersecurity Framework • ISO/IEC 27032 – Guidelines for Cybersecurity 3. Supplier Management Date: April 21, 2021 Recorded Webinar: https://youtu.be/bi3tvvhGV1s

Vistas

Total de vistas

1.033

En Slideshare

0

De embebidos

0

Número de embebidos

682

Acciones

Descargas

32

Compartidos

0

Comentarios

0

Me gusta

1

×